(usagi-users 03144) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?

[Michal Ludvig <michal@xxxxxxxx>]

On Sat, 20 Nov 2004, Aidas Kasparas wrote:

> Park Lee wrote:
> > > Then, I would:
> > > - add field for colorcoding into SA datastructure;
> > > - extend SA selection algorithm to include check for color code;
> > > - if kernel will not find appropriate SA, it will send ACQUIRE
> > > message, which has to be extended with required colorcode ant other
> > > info you need (most likely by adding KMPRIVATE extension);
> > 
> > But, In  Appendix C: Key Management Private Data Extension(RFC2367), It
> > says: The Key Management Private Data extension is attached to either an
> > SADB_ADD or SADB_UPDATE message. It attaches a single piece of arbitrary
> > data to a security association....
> > 
> > Then, Would you please tell me Can KMPRIVATE extension also be attached
> > to SADB_ACQUIRE message?  
> > 
> 
> Technically, yes, it can be attached. Extensions are constructed the way, that
> even unknown extension can be skipped over and dealt with only those, what are
> known to application. On the other hand, both, kernel and racoon "normalizes"
> packet first, and only then takes required information from normalized packet.
> 
> Politically... politically maybe you'd better invent extension specifically
> for your application (as there are others invented for NAT-T, etc; see
> /usr/include/linux/pfkeyv2.h SADB_EXT* SADB_X_EXT* definitions) document and
> implement it. Then you'll be free to define which messages it can be attached.

I haven't closely followed the thread but ... how about moving from PF_KEY 
to NetLink in IPsec-tools on Linux? NetLink messages are more versatile I 
think and could better suit Park's requirements. But it's just my feeling, 
I don't know too much about NetLink either ;-)

Michal Ludvig
-- 
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal